Two vulnerabilities fixed in Rails 2.3.4

Rails version 2.3.4 has been released to fix two vulnerabilities.

  • A timing weakness in the ClientCookieStore. Rails version 2.1.0 and all subsequent versions are affected. Detailed information can be found here.
  • And a XSS vulnerability in the way Rails handles Unicode. This affects all versions in the Rails 2 branch, but not applications running with Ruby 1.9.

Upgrade to version 2.3.4 now, or apply a patch (available on the pages linked above).


DoS vulnerability in BigDecimal

A Denial of Service (DoS) vulnerability was found in the BigDecimal standard Ruby library. An attacker could cause a segmentation fault and crash the Ruby interpreter. This is due to the BigDecimal method mishandling certain large values. Almost every Rails application is vulnerable to this because ActiveRecord relies on this method.

You are advised to update your Ruby installation. There is a temporary fix on Github. This fix breaks valid formats supported by BigDecimal, so you are advised to plan migrating to a new Ruby version.


Vulnerability in Rails 2.3 HTTP Authentication

There has been a security vulnerability in Rails in the HTTP digest authentication in Rails 2.3. That way someone can authenticate without any user name and password. The HTTP basic authentication seems to be not vulnerable to this problem.

The problem arises in the authenticate_or_request_with_http_digest method which will proceed even if the user name check returns nil.

You can find out more, including countermeasures at Nate's blog and the Rails weblog.


Hacking Ruby on Rails @ RailsWayCon09

I'm back from the nice RailsWayCon(ference) in Berlin. I did a session on Ruby on Rails Security, check out the slides:




Securing A Website With Client SSL Certificates 

In the comments of the last article Morgan came up with the idea of client SSL certificates to secure the admin panel. This is not authentication in a classical sense, it is saying which SSL certificates (which you self-signed) you allow to access a particular site. This is a better solution than limiting the access to various IP adresses when you are a work nomad and you have to access it from different parts in the world.

The steps to do this are:

  1. Setup OpenSSL to become a Certificate Authority (CA)
  2. Create a root CA key
  3. Create a key for the (sub)domain in question
  4. Setup your web server
  5. Create a client certificate and install it in your browser

Here is the HOWTO: Securing A Website With Client SSL Certificates